apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: {{ include "gadget.fullname" . }}-cluster-role
  {{- if not .Values.skipLabels }}
  labels:
    {{- include "gadget.labels" . | nindent 4 }}
  {{- end }}
rules:
  - apiGroups: [""]
    resources: ["namespaces", "nodes", "pods"]
    verbs: ["get", "watch", "list"]
  - apiGroups: [""]
    resources: ["services"]
    # list is needed by network-policy gadget
    # watch is needed by operators enriching with service informations
    verbs: ["list", "watch"]
  - apiGroups: ["gadget.kinvolk.io"]
    resources: ["traces", "traces/status"]
    # For traces, we need all rights on them as we define this resource.
    verbs: ["delete", "deletecollection", "get", "list", "patch", "create", "update", "watch"]
  - apiGroups: ["*"]
    resources: ["deployments", "replicasets", "statefulsets", "daemonsets", "jobs", "cronjobs", "replicationcontrollers"]
    # Required to retrieve the owner references used by the seccomp gadget.
    verbs: ["get"]
  - apiGroups: ["security-profiles-operator.x-k8s.io"]
    resources: ["seccompprofiles"]
    # Required for integration with the Kubernetes Security Profiles Operator
    verbs: ["list", "watch", "create"]
  - apiGroups: ["security.openshift.io"]
    # It is necessary to use the 'privileged' security context constraints to be
    # able mount host directories as volumes, use the host networking, among others.
    # This will be used only when running on OpenShift:
    # https://docs.openshift.com/container-platform/4.9/authentication/managing-security-context-constraints.html#default-sccs_configuring-internal-oauth
    resources: ["securitycontextconstraints"]
    resourceNames: ["privileged"]
    verbs: ["use"]
